Lamont Colucci
Ripon College
It is surprising that it has taken about 20 years to openly discuss cyber attacks against the United States committed by other nations. The first major attack is often cited as the “Moonlight Maze” attack of 1998, which is believed to have emanated from Russia. It is even stranger that we are debating whether or not these types of attacks are acts of war and aggression. This lackadaisical attitude is perhaps a function not so much of policy attitudes but culture and generational trends. Generation X and Millennials grew up with the Internet primarily as a positive force in their lives. Further, the Internet is seen as amorphous, surreal and lacking in a concrete manifestation. Negative news about the Internet focuses on such issues as identity theft, cyber stalking, and poor social judgment, as countless people engage in negative behavior that may haunt them in later life. This is unfortunate since the Internet dominates most areas of national security and American corporate activity. These foreign nation cyber attacks have become more sensationalized with the North Korean attack against Sony and allegations of Russian intervention in the 2016 election cycle.
The United States must have a clear policy that cyber attacks will be treated as an act of aggression and war viewed no differently than a kinetic attack, or an attack that results in tangible physical damage and or human casualties. In 2011, the Pentagon opened the official door by declaring that “any computer attack that threatens widespread civilian casualties”[1] could be considered an act of war garnering a military response. In an increasing tense atmosphere over the issue, Sen. Mike Rounds in 2016 introduced a bill called the Cyber Act of War Act, which would: “(1) develop a policy for determining when an action carried out in cyberspace constitutes an act of war against the United States, and (2) revise the Department of Defense Law of War Manual accordingly.” In developing this policy, the President shall consider: “(1) the ways in which a cyber attack’s effects may be equivalent to a conventional attack’s effects, including physical destruction or casualties; and (2) intangible effects of significant scope or duration.”[2] However, as critics have noted, this is less of a guideline for the use of force than a demand that any administration makes clear what American policy is toward such an attack.
It is not the purview of this article to discuss non-state actors, but even with state actors, there is a question of attribution: how sure is the United States that a particular state engaged in a cyber attack?[3] For any response policy to exist, the president must force the intelligence community (IC) to possess and maintain the tools to credibly give him positive attribution. The IC will likely resist such pressure but should be reminded that this is the reason the IC exists in the first place. It is highly likely that the IC will claim that they cannot be definite in all cases who the aggressor is; further, they may try to stall by arguing that more time is needed to assess the situation. Like many areas that demand firm answers from the American intelligence services, the IC should be forced to give an assessment and not be allowed to be ambiguous. Its entire reason for existence is to make such judgment calls and analysis. As much as it is important to be sure and prudent, it is equally important to act decisively to prevent major harm to the United States and the American people. This fully recognizes the possibility that a bad actor could attempt to a covert operation designed to make the United States think a national actor engaged in an attack when they did not. This could even be an action by a national actor itself. Perhaps Iran will attempt an attack that appears like the Chinese or the Russians. This is another reason that a declared policy that cyber attacks by national actors will be considered an act of war will inject a needed seriousness on all sides of the equation. It sends a powerful message not only to our own intelligence community but toward potential adversaries that this issue has left the ethereal feelings surrounding the internet and has entered the domain of hard power national security.
Another area directly related to cyber attacks by national actors is the area of cyber espionage. Again, culture has clouded the issue as espionage is still thought of along the old lines of human intelligence and signals intelligence. However, what could once not be achieved by an army of covert operators can now be achieved by an individual or small group of cyber operators. Cyber espionage is one of the most common threats the United States faces at the hands of state actors. This has often been an overlooked area of espionage by the media, and even politicians, as it often focuses on economic and industrial espionage. It is not considered by many of these same politicians or media actors as serious as attacks against the Pentagon’s communication systems, or even for some, as media manipulation. However, this is more of an ongoing threat than any other, and it harms the United States on a daily basis. In light of this, on April 1, 2015, President Barack Obama signed an executive order, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”[4] This policy would allow the United States government, through the secretary of the treasury (in consultation with the attorney general and secretary of state) to apply sanctions to individuals or groups that engage in economic espionage. The administration’s test was if the attack created “a significant threat to U.S. national security, foreign policy, or economic health or financial stability of the United States.” Although this was a long overdue step in the right direction, it may again reflect the Obama administration’s instinct to take the minimalist path of least resistance. Economic espionage encompasses everything from stealing to altering to destroying intellectual property or other trade secrets. This can be anything from machine blueprints to software applications to private employee information to chemical formulas. And while defense contractors and military technology top the looting list, everything is fair game: civilian aviation, gaming software, agricultural seeds, pharmaceuticals or car brakes. Naturally, Silicon Valley and corporations such as Microsoft, Google, Apple, HP, and Oracle are top targets. And while the good, old-fashioned spy work of using human intelligence assets and dealing with physical documents is still a reality, foreign agents can now also work remotely, through cyber attacks, malware, viruses and other forms of hacking.
The cost to the American economy and American jobs is staggering. One 2009 estimate pegged losses at $50 billion but BlackOps Partners Corporation, a firm that handles cyber counterintelligence for Fortune 500 companies, estimated in 2013 that the cost was $500 billion from U.S. companies annually.[5][6] Many of the code names of these attacks seem to come out of a Tom Clancy novel: Red October, Flame, Operation Aurora and the Elderwood Project. The aggressors have similarly colorful names: Unit 61398, for example, and Energetic Bear.
These last two were not independent hackers. Unit 61398 is part of China’s People’s Liberation Army while Energetic Bear was widely believed to be supported by Russia. Notice that these are not Russian and Chinese corporations but the governments themselves (indeed, they are the two biggest cyber adversaries of the United States). A 2013 report by the cyber security firm Mandiant estimated that Unit 61398 had hacked into 141 companies.[7] Similarly, a 2014 report by the firm CrowdStrike said that the Russian government had penetrated hundreds of American, European and Asian companies, stealing valuable intellectual property.[8]
One needs to be reminded that these are state actors of the two greatest power threats to United States interests using their intelligence arms to attack U.S. corporations. This is not about sanctions, this is warfare, and it should be treated as such. The Russian cyber attacks against the Estonian Parliament in 2007, the attacks against Georgia in 2008 (which were a prelude to the Russian invasion), and Ukraine continuously, should have served as a clear warning that the future for the United States looks dark if no decisive policy is enacted. Russia and China are the most common sources of national actor attacks against the United States. If these two nations perceive weakness on the America’s part, they will amplify and exploit their attacks progressively.
Although economic cyber espionage is the most common form of state-actor attacks, the question remains as to how the United States should respond to a cyber-attack that seeks to seriously harm our national security infrastructure or population. In May 2017, National Security Agency director Mike Rogers stated, “Advanced states continue to demonstrate the ability to combine cyber effects, intelligence, and asymmetric warfare to maintain the initiative just short of war, challenging our ability to react and respond.”[9] The scenarios of nation-state cyber attacks against the United States are endless: cut down the power grid, hack the major financial institutions, bring down military communications, confuse major transportation and supply chain networks. Many of these attacks may lead to the deaths of tens of thousands, especially those targeting health care and the water and food supply, and can cause mass casualties to the American military. Many national security experts have focused on the catastrophic result should a terrorist group or a rogue nation like Iran or North Korea deliver an electromagnetic pulse (EMP) strike against the United States. An EMP attack by even a single nuclear detonation at high altitude above the surface could destroy electrical power to over 70% of the United States, resulting in casualties on a scale never been seen in warfare.[10] Hypothetical accounts of the days without electric power are terrifying. Lloyds of London and the University of Cambridge’s Centre for Risk Studies analyzed a scenario where an attack on the power grid resulted in a 15-state blackout plunging 93 million people into darkness: “Experts predict it would result in a rise in mortality rates as health and safety systems fail; a decline in trade as ports shut down; disruption to water supplies as electric pumps fail and chaos to transport networks as infrastructure collapses. The total impact to the US economy is estimated at $243 billion, rising to more than $1 trillion in the most extreme version of the scenario.”[11]
However, the same could be achieved via a cyber attack. There needs to be an unambiguous policy whose declaration would include the following: Any major cyber attack against United States’ interests or people will be treated as an attack by any other weapon of mass destruction in the same category as nuclear, chemical, biological, and radiological. It is clear that short of the use of a hydrogen bomb, a major cyber attack will be more severe than any other weapon of mass destruction. The scale of such a cyber attack could be vast and comprehensive.[12] Second, any cyber attack by a state actor will not be governed by the same type response. The United States will use kinetic force to counter or retaliate against a serious cyber attack. In plain language, a state actor that engages in a serious cyber attack against the American power grid will find its own power grid destroyed by cruise missiles. Third, the United States will not be forced into a proportional response if the severity of the attack causes major damage or loss of life.
A serious cyber attack against the United States should be treated in the same way as we treated the potential for a nuclear attack in the 20th century. The United States must respond with the full force of American power and ensure that no nation contemplates this type of aggression.
Notes:
[1] David Sanger and Elisabeth Bumiller, “Pentagon to Consider Cyberattacks Acts of War,” The New York Times, May 31, 2011.
[2] U.S. Senate Bill 2905, 114th Congress, May 9, 2016.
[3] Dan Gallington, “U.S. Response to Cyber Attacks,” C-Span interview, June 11, 2011.
[4] President Barack Obama, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities,” The White House, Executive Order, April 1, 2015.
[5] Joshua Philipp, “The Staggering Cost of Economic Espionage Against the US,” The Epoch Times, October 22, 2013.
[6] James Scott and Drew Spaniel, “China’s Espionage Dynasty: Economic Death by a Thousand Cuts,” Institute for Critical Infrastructure Technology, July 17, 2016, https://icitech.org/
[7] FireEye, Inc., “What About the Plant Floor? Six Subversive Security Concerns for Industrial Environments,” 2017.
[8] Jim Finkle, “Russia hacked hundreds of Western, Asian companies,” Reuters, January 21, 2014.
[9] Dan Boylan, “Mike Rogers, NSA chief, to Senate: Cyberattack on infrastructure ‘worst-case scenario,” The Washington Times, May 9, 2017.
[10] Henry F. Cooper and Peter Vincent Pry, “The Threat to Melt the Electric Grid,” The Wall Street Journal, April 30, 2015, https://www.wsj.com/
[11] Lloyds of London and the University of Cambridge Centre for Risk Studies, “Business Blackout,” July 8, 2015.
[12] Quan Hai T. Lu, “Cyber Attacks The New WMD Challenge to the Interagency,” InterAgency Journal 6, 2 (Special Edition, Spring 2015).
Lamont Colucci
Copyright 2018 ABC-CLIO, LLC
This post originally appeared on ABC-CLIO’s Praeger Security International website
This content may be used for non-commercial, course and research purposes only.
MLA Citation:
Colucci, Lamont. “Cyber Attacks Should be Treated As an Act of War.” Praeger Security International, ABC-CLIO, 2018, psi.praeger.com/Search/
https://psi.praeger.com/
Entry ID: 2174723